Sony Corp. warned its 77 million PlayStation Network and Qriocity online service customers that their credit-card data, billing addresses and other personal information may have been stolen by a hacker.
“While there is no evidence at this time that credit-card data was taken, we cannot rule out the possibility,” Patrick Seybold, a Sony spokesman, said on the company blog page. The hacker obtained user-provided names, e-mail addresses, birth dates, log-in information and purchase history, Seybold said.
The Sony intrusion follows a March 30 breach at Alliance Data System Corp.’s Epsilon Data Management LLC, which resulted in the theft of customer data at banks including Citigroup Inc. and JPMorgan Chase & Co., as well as retailers Best Buy Co. and Walgreen Co.
Sony fell 2 percent to 2,366 yen at the close of trading in Tokyo today, slumping for a fourth consecutive day. The benchmark Nikkei 225 Stock Average rose 1.4 percent.
The company reported the intrusion to the Federal Bureau of Investigation office in San Diego that specializes in cybercrime, the New York Times said on its website. Darrell Foxworth, an FBI special agent in San Diego, said he can neither confirm nor deny whether there is an investigation.
Resume Within a Week
The PlayStation Network, which provides access to online games, movies and TV shows, was attacked from April 17 to April 19. Sony had combined PlayStation Network customer data with Qriocity, which offers movies or music in 11 nations on Web-connected Bravia TVs and Blu-ray players. That service also was compromised, Sony said.
Sony shut down both services April 20. Some features were expected to be restored within a week, Seybold said. The company recommends that people change their passwords and user IDs when service is restored and to do the same elsewhere if they reuse the same login data with other businesses.
“The PSN service troubles have certainly come at an inopportune moment in light of the firm’s announcement on 26 April of a move into tablets as part of efforts to beef up network services,” Koki Shiraishi, a Tokyo-based analyst at Daiwa Institute of Research Ltd., wrote in a report today.
The six-day delay in notifying customers of the intrusion is “troubling,” U.S. Senator Richard Blumenthal, a Democrat from Connecticut, told Sony Computer Entertainment President Jack Tretton in a letter dated April 26.
“PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony,” wrote Blumenthal, a former Connecticut attorney general.
Sony also should pay for insurance to protect affected users from identity theft, he said.
Seybold didn’t immediately return a phone call and e-mail message seeking comment on the letter.
The Tokyo-based company has hired a security firm to conduct a complete investigation into the intrusion and is rebuilding the system to offer more protection, Seybold said in the blog posting.
Citigroup, JPMorgan, US Bancorp, Best Buy, Walgreen, New York & Co. and at least 14 others reported their customers’ data was stolen in the March 30 breach at Epsilon. The Dallas-based provider of e-mail marketing services says it sends out more than 40 billion e-mails a year on behalf of more than 600 companies.